The global energy sector needs to stay alert for Triton malware, the Federal Bureau of Investigation said in a recent warning.
Triton (also known as Trisis and HatMan) is designed to "cause physical safety systems to cease operating or to operate in an unsafe manner," the FBI says in its Private Industry Notification (PIN 20220324-001). The malware was used in a cyberattack in 2017 against a Middle East petrochemical facility. The Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM), a Russian government-backed research institution, is believed to have carried out the attack, and last week the United States Department of Justice unsealed an indictment against a Russian national and a TsNIIkhM employee involved in that attack.
In the 2017 attack, Triton targeted a Schneider Electric Triconex safety instrumented system (SIS), which initiates safe shutdown procedures in emergency situations. The attacker gained initial access and then moved laterally through the IT and OT networks to get onto the safety system. The malware modified in-memory firmware for Triconex Tricon safety controllers. In a situation where the system would initiate safe shutdown procedures, the fact that the controllers were modified could potentially result in damage to the facility, system downtime, and even loss of life, the FBI says.
TsNIIkhM is believed to still be conducting activities against the global energy sector, the FBI says. "Based on the attack framework and malware used in the original Triton incident, a similar attack could be designed against other SIS," the FBI says.
While Schneider Electric fixed the flaw in the Tricon controller, older versions are still in use and remain vulnerable. Potentially affected critical infrastructure asset owners and operators should regularly assess and monitor their SIS systems, watch personnel with access to these systems, and practice contingency plans, according to the FBI warning. The PIN outlines other recommendations, including using a unidirectional gateway for applications that need to receive data from the SIS; implementing change management procedures for safety controller run-state key positions; deploying safety systems on isolated networks; and checking logs from network appliances, webservers, and third-party tools for signs of early stage reconnaissance activity.